Upon any HTTP request the framework should check if the user pertaining to the HTTP request (via session ID) is valid.

+

Upon any HTTP request the framework should check if the user pertaining to the HTTP request (via session ID) is valid.

'''Successful Authentication''':

'''Successful Authentication''':

−

Upon a successful login the user should be issued a new session identifier. The old session ID should be invalidated. This prevents session fixation attacks and the same browser also sharing the same session ID in a multi user environment. Some times the session ID is per browser and the session remains valid while the browser is alive.

+

Upon a successful login the user should be issued a new session identifier. The old session ID should be invalidated. This prevents session fixation attacks and the same browser also sharing the same session ID in a multi user environment. Sometimes the session ID is per browser, and the session remains valid while the browser is alive.

'''Logout''':

'''Logout''':

−

This also leads to the idea of why a logout button is so important. The logout button should invalidate the users session ID when it is selected.

+

This also leads to the idea of why a logout button is so important. The logout button should invalidate the user’s session ID when it is selected.

Introduction

Cookies can be used to maintain a session state. This identifies a user whilst in the middle of using the application. Session IDs are a popular method of identifying a user. A "secure" session ID should be at least 128 bits in length and sufficiently random. Cookies can also be used to identify a user, but care must be taken in using cookies. Generally it is not recommended to implement a SSO (Single Sign on) solution using cookies; they were never intended for such use. Persistent cookies are stored on a user hard disk and are valid depending on the expiry date defined in the cookie. The following are pointers when reviewing cookie related code.

How to Locate the Potentially Vulnerable Code

If the cookie object is being set with various attributes apart from the session ID check the cookie is set only to transmit over HTTPS/SSL. In Java this is performed by the method:

HTTP Only Cookie

This is adhered to in IE6 and above. HTTP Only cookie is meant to provide protection against XSS by not letting client side scripts access the cookie. It's a step in the right direction but not a silver bullet.

cookie.HttpOnly = true (C#)

Here cookie should only be accessible via ASP.NET.

Note that HTTPOnly property is not supported in Classic ASP pages.

Limiting Cookie Domain

Ensure cookies are limited to a domain such as example.com; therefore the cookie is associated to example.com. If the cookie is associated with other domains the following code performs this:

Leading Practice Patterns for Session Management/Integrity

HTTPOnly Cookie:
Prevents cookie access via client side script. Not all browsers support such a directive.

Valid Session checking:

Upon any HTTP request the framework should check if the user pertaining to the HTTP request (via session ID) is valid.

Successful Authentication:

Upon a successful login the user should be issued a new session identifier. The old session ID should be invalidated. This prevents session fixation attacks and the same browser also sharing the same session ID in a multi user environment. Sometimes the session ID is per browser, and the session remains valid while the browser is alive.

Logout:
This also leads to the idea of why a logout button is so important. The logout button should invalidate the user’s session ID when it is selected.